Oh crumbs! Cookies left unblocked by code errors, say academics

US— Thousands of websites may be dropping cookies on people’s computers against their wishes because of flaws in the codes web browsers like Internet Explorer use to assess site privacy policies, according to Carnegie Mellon researchers.

Academics at the Pennsylvania university uncovered the issue through analysis of Platform for Privacy Preferences (P3P) compact policies (CPs), which are a string of three- and four-character tokens that summarise a website’s privacy policy pertaining to cookies.

These CPs are used by web browsers to evaluate a website’s data collection practices and they allow, reject or modify cookies accordingly.

Errors in the CPs, however, can result in cookies remaining unblocked. Of 33,000 websites analysed by the Carnegie Mellon researchers 11,000 were found to contain flawed CPs – including 21 of the top 100 most-visited sites, as measured by Quantcast.

“We found thousands of sites using identical invalid CPs that had been recommended as workarounds for Internet Explorer cookie blocking,” the researchers said in a paper published last week.

“It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective.”

The allegations contained within the paper will further strengthen the cause of privacy advocates who are lobbying legislators to introduce online privacy legislation, arguing that self-regulation is not working to the advantage of consumers.

Last year academics at the University of California, Berkeley, drew attention to the practice known as ‘cookie respawning’, whereby data stored for use by Flash applications was also used to recreate cookies that had been deleted by users.

The work of the Berkeley researchers recently led to lawsuits being brought against a number of companies over their alleged use of respawning.